So over the past few weeks, I informed you that your passwords probably suck and why they suck, and then I gave you some general tips on how to make sure your passwords are strong. Today, we’ll take a look at how to actually put together some killer passwords that aren’t going to get hacked (unless you write them down on sticky notes and plaster them all over your office…I just can’t help you with that one).
In Part III of my passwords series, I discussed two major rules for making strong passwords:
- Follow the Rule of Four: Make sure you use all four character sets when creating a password (lowercase letters, uppercase letters, numbers, and special characters).
- Longer is Stronger: The longer your password is, the longer it takes a hacker to brute force it open. By today’s standard, 14 characters is probably long enough (it could take up to 15 thousand centuries to crack if you use all four character sets).
The trouble with long passwords that contain all four character sets is that they can get unwieldy and hard to remember, especially if you’re using a different password for every site you use, which you are doing…right? In a perfect world, your passwords need to be unique and too long for a hacker to crack, but easy enough for you to remember. Follow me to that perfect world…
For this article, I’m going to return to security expert Steve Gibson’s Password Haystack concept because, well, the guy’s a genius and his approach to passwords is spot-on. Mr. Gibson introduces the concept of padding where you come up with a short, easy-to-remember word or phrase, then add easy-to-remember padding to it to make it longer and stronger. In his post, Mr. Gibson asks us which of the following passwords we think is more secure:
Believe it or not, the first password takes approximately 95 times longer to brute-force crack as the second one, even though it’s so much easier to remember. Mr. Gibson goes into a lot more detail in his article, and I’d recommend reading it. Or if video is more up your alley, he discusses his theories in his Security Now podcast.
Now, don’t go slapping a bunch of periods at the end of your crummy passwords and expect good things. The Haystack article is over two years old and the hackers have caught on to the “periods at the end” thing. But the concept is still valid. What you need to do is come up with your own padding schemes and use them with your own base words to make them unique, easy to remember, and super secure. Let’s look some examples:
Say you’re a Chevy person and you really love the Camaro. It’s a beauty, ain’t it? Anyway, you could start with a base of Camaro. You have Uppercase and Lowercase letters, so it’s a decent start.
For padding, you could use symbols that look like the front of a car: 0o..=..o0 – That adds numbers (zeros) and special characters (periods and equals sign) so you’re meeting the Rule of Four. Add the word and the padding together and you get a 15-character password.
The Haystack Calculator indicates that Camaro0o..=..o0 would take between 15,000 centuries and 1.5 million centuries to brute force. And if you like the Camaro, it should be easy for you to remember.
You’re really into Valentine’s day, so your base word is: Cupid
It’s an easy word, so you decide to change the i to a number 1 to make it slightly harder to crack: Cup1d
You come up with some padding that looks like an arrow piercing a heart: >>–<3–>
Nothing says you can’t put the padding at the beginning, so you have >>–<3–>Cup1d as a final password. It consists of 14 characters and uses all four character sets, so it should be safe for several thousand centuries.
Maybe you dig airplanes, so you start with a base: JetPlane
You build padding that resembles an airplane coming toward you: ––0-^V^-0––
Nothing says you can’t put the padding in the middle, so you have Jet––0-^V^-0––Plane …It’s 19 characters that should be safe from a brute force attack for about a hundred trillion centuries.
I hope you’re starting to see how this all works. By starting with common words and generating padding, you can come up with many passwords that are both easy for you to remember and too hard for a hacker to crack. The padding examples I came up with above are fairly elaborate. You can always make simpler ones like **8** or >-3-< or <===L7=.
The possibilities are endless. Go ahead, come up with your own…they’ll be easier for you to remember that way!
I came up with above. Because I’m publishing this article to the Internet, there’s a chance hackers will find this site and add these specific passwords to their dictionaries.
NEXT STEP: DEVELOP A SYSTEM
So now you know how to make a password strong and easier to remember. And that’s great if you need to come up with one password. But remember, you want to come up with a different password for each site you log in to. What if that’s 100 sites? Then the task of coming up with 100 passwords becomes daunting. Unless, of course, you have some sort of system to keep it manageable.
Say you use a combination of two words for a base. Maybe an adjective + a noun. For example the term Vanilla Pudding. If you come up with five adjectives and five nouns, you now have 25 possible combinations.
Now here’s the beauty, simply come up with four different padding schemes, and you now have 100 possible unique combinations. And to further spice things up, you can place the padding either at the beginning of the password, at the end of the password, or in between the two terms. Technically, this now gives you 300 different unique combinations out of ten starting terms and four padding schemes.
You get a lot of bang for your buck with a system like this.
FINAL THOUGHT: DON’T WRITE THEM DOWN!
So once you’ve gone through all the paces, you have yourself a pile of strong, unique, easy-to-remember passwords. You’ll still need help remembering them, but you can’t write them down. If someone breaks into your house and finds your sticky notes or notebook, they’ll get access to everything. Instead, come up with code words for your terms that only you know.
For example, say you combine terms and come up with Vanilla0o–=–o0Jelly as a password. Don’t write it like that. Maybe you’re a big Golden Earring fan and you love the song Vanilla Queen. And maybe the term Jelly reminds you of the band Green Jelly and their song about the Big Bad Wolf. And you know the padding as the Camaro padding from the Example above. So instead of writing down the real password, you can write down QueenCamaroWolf. No one else knows what that means, but you know they stand for Vanilla, 0o–=–o0, and Jelly.
Sound easier than you thought it would? I hope so. In my next article about passwords, I’ll talk a little about ways to manage passwords so they don’t get out of hand. Until then, use this handy little checklist to make sure you’re passwords are up to snuff:
- Did you use characters from all four character sets (lowercase letters, uppercase letters, numbers, special characters)?
- Do you have at least 14 characters in your password?
- Did you make sensible use of padding?
- Is your password easy to remember?